Quoting Michael Ströder <michael(a)stroeder.com>:
uid=([^,]*) looks strange to me. How about trying uid=([^,]+)
That would only help to avoid matching an empty uid. Anyway, we've
already established that the problem is not the search pattern, but
the authz-regexp replacement pattern. Howard has suggested an
interesting LDAP search URL/URI; it may not work, but it looks like
the right idea.
Also, I'm still bothered by the note at the very end of section 15.2.6
of the OpenLDAP admin manual. There's a similar note on the man page
"The protocol portion of the URI must be strictly ldap.
Note that this search is subject to access controls.
Specifically, the authentication identity must have
"auth" access in the subject."
Perhaps Howard's URL is correct, but that this issue is keeping it
from working. This is even what my question was originally about: What
does this mean? Who is supposed to have auth access to what in order
for this to work?